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Configuring Remote Access IPSec VPNs 



Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP 
network such as the Internet. 

This chapter describes how to build a remote access VPN connection. It includes the following sections: 

• Summary of the Configuration, page 32-1 

• Configuring Interfaces, page 32-2 

• Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface, page 32-3 

• Configuring an Address Pool, page 32-4 

• Adding a User, page 32-4 

• Creating a Transform Set, page 32-4 

• Defining a Tunnel Group, page 32-5 

• Creating a Dynamic Crypto Map, page 32-6 

• Creating a Crypto Map Entry to Use the Dynamic Crypto Map, page 32-7 



Summary of the Configuration 



This chapter uses the following configuration to explain how to configure a remote access connection. 
Later sections provide step-by-step instructions. 
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# interface ethernetO 

if)# ip address 10.10.4.200 255.255.0.0 

if)# nameif outside 



no shutdown 
isakmp policy 
isakmp policy 
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1 authentication pre-share 

1 encryption 3des 

1 hash sha 

1 group 2 

1 lifetime 43200 
isakmp enable outside 

ip local pool testpool 192.168.0.10-192.168.0.15 
username testuser password 12345678 

crypto ipsec transform set FirstSet esp-3des esp-md5-hmac 
tunnel-group testgroup type ipsec-ra 
tunnel-group testgroup general-attributes 
general) # address-pool testpool 

# tunnel-group testgroup ipsec-attributes 
ipsec) # pre-shared-key 44kkaol59636 jnfx 

# crypto dynamic-map dynl 1 set transform-set FirstSet 
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hostname (config) # crypto dynamic-map dynl 1 set reverse-route 
hostname (config) # crypto map mymap 1 ipsec-isakmp dynamic dynl 
hostname (config) # crypto map mymap interface outside 

hostname (config) # write memory 



Configuring Interfaces 



A security appliance has at least two interfaces, referred to here as outside and inside. Typically, the 
outside interface is connected to the public Internet, while the inside interface is connected to a private 
network and is protected from public access. 

To begin, configure and enable two interfaces on the security appliance. Then assign a name, IP address 
and subnet mask. Optionally, configure its security level, speed and duplex operation on the security 
appliance. 

To configure interfaces, perform the following steps, using the command syntax in the examples: 

Step 1 To enter Interface configuration mode, in global configuration mode enter the interface command with 
the default name of the interface to configure. In the following example the interface is ethernetO. 

hostname (config) # interface ethernetO 

hostname (conf ig-if ) # 

Step 2 To set the IP address and subnet mask for the interface, enter the ip address command. In the following 
example the IP address is 10.10.4.100 and the subnet mask is 255.255.0.0. 

hostname (conf ig-if ) # ip address 10.10.4.200 255.255.0.0 

hostname (conf ig-if ) # 

Step 3 To name the interface, enter the nameif command, maximum of 48 characters. You cannot change this 
name after you set it. In the following example the name of the ethernetO interface is outside. 

hostname (conf ig-if ) # nameif outside 

hostname (conf ig-if ) ## 

Step 4 To enable the interface, enter the no version of the shutdown command. By default, interfaces are 
disabled. 

hostname (conf ig-if ) # no shutdown 

hostname (conf ig-if ) # 

Step 5 To save your changes, enter the write memory command. 

hostname (conf ig-if ) # write memory 
hostname (conf ig-if ) # 

Step 6 To configure a second interface, use the same procedure. 
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Configuring ISAKMP Policy and Enabling ISAKMP on the 
Outside Interface 

The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation 
protocol that lets two hosts agree on how to build an IPSec Security Association. Each ISAKMP 
negotiation is divided into two sections called Phasel and Phase2. 

Phase 1 creates the first tunnel to protect later ISAKMP negotiation messages. Phase 2 creates the tunnel 
that protects data travelling across the secure connection. 

To set the terms of the ISAKMP negotiations, you create an ISAKMP policy. It includes the following: 

• An authentication method, to ensure the identity of the peers. 

• An encryption method, to protect the data and ensure privacy. 

• A Hashed Message Authentication Codes method to ensure the identity of the sender and to ensure 
that the message has not been modified in transit. 

• A Diffie-Hellman group to set the size of the encryption key. 

• A time limit for how long the security appliance uses an encryption key before replacing it. 

See on page 27-3 in the "Configuring IPSec and ISAKMP" chapter of this guide for detailed information 
about the IKE policy keywords and their values. 

To configure ISAKMP policies, in global configuration mode, enter the isakmp policy command with 
its various arguments. The syntax for ISAKMP policy commands is 
isakmp policy priority attribute_name [attribute_value I integer]. 

Perform the following steps and use the command syntax in the following examples as a guide. 

Step 1 Set the authentication method. The following example configures preshared key. The priority is 1 in this 
and all following steps. 

hostname (config) # isakmp policy 1 authentication pre-share 

hostname (config) # 

Step 2 Set the encryption method. The following example configures 3DES. 

hostname (config) # isakmp policy 1 encryption 3des 

hostname (config) # 

Step 3 Set the HMAC method. The following example configures SHA-1. 

hostname (config) # isakmp policy 1 hash sha 

hostname (config) # 

Step 4 Set the Diffie-Hellman group. The following example configures Group 2. 

hostname (config) # isakmp policy 1 group 2 

hostname (config) # 

Step 5 Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours). 

hostname (config) # isakmp policy 1 lifetime 43200 

hostname (config) # 

Step 6 Enable ISAKMP on the interface named outside. 

hostname (config) # isakmp enable outside 

hostname (config) # 
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Step 7 To save your changes, enter the write memory command. 

hostname (config) # write memory- 
hostname (conf ig) # 



Configuring an Address Pool 



The security appliance requires a method for assigning IP addresses to users. A common method is using 
address pools. The alternatives are having a DHCP server assign address or having an AAA server assign 
them. The following example uses an address pool. 

Step 1 To configure an address pool, enter the ip local pool command. The syntax is 

ip local pool poolname first _address-last_address. In the following example the pool name is testpool. 

hostname (conf ig) # ip local pool testpool 192.168.0.10-192.168.0.15 

hostname(config)# 
Step 2 Save your changes. 

hostname (conf ig) # write memory 
hostname (config) # 



Adding a User 

To identify remote access users to the security appliance, configure usernames and passwords. 

Step 1 To add users, enter the username command. The syntax is username username password password. In 
the following example the username is testuser and the password is 12345678. 

hostname (conf ig) # username testuser password 12345678 

hostname(config)# 
Step 2 Repeat Step 1 for each additional user. 



Creating a Transform Set 



A transform set combines an encryption method and an authentication method. During the IPSec security 
association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a 
particular data flow. The transform set must be the same for both peers. 

A transform set protects the data flows for the access list specified in the associated crypto map entry. 
You can create transform sets in the security appliance configuration, and then specify a maximum of 1 1 
of them in a crypto map or dynamic crypto map entry. For more overview information, including a table 
that lists valid encryption and authentication methods, see Creating a Transform Set in Chapter 36, 
"Configuring LAN-to-LAN IPSec VPNs" of this guide. 
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Step 1 To configure a transform set, in global configuration mode enter the crypto ipsec transform-set 
command. The syntax is: 

crypto ipsec transform-set transfortn-set-name encryption-method authentication-method 

The following example configures a transform set with the name FirstSet, esp-3des encryption, and 
esp-md5-hmac authentication: 

hostname (config) # crypto ipsec transform set FirstSet esp-3des esp-md5-hmac 

hostname (config) # 



Step 2 Save the changes. 



hostname (config) # write memory 

hostname (config) # 



Defining a Tunnel Group 



A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group 
to identify AAA servers, specify connection parameters, and define a default group policy. The security 
appliance stores tunnel groups internally. 

There are two default tunnel groups in the security appliance system: DefaultRAGroup, which is the 
default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec 
LAN-to-LAN tunnel group. You can change them but not delete them. The security appliance uses these 
groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when 
there is no specific tunnel group identified during tunnel negotiation. 

To establish a basic remote access connection, you must set three attributes for a tunnel group: 

• Set the connection type to IPSec remote access. 

• Configure the address assignment method, in the following example, address pool. 

• Configure an authentication method, in the following example, preshared key. 

Step 1 To set the connection type to IPSec remote access, enter the tunnel-group command. The command 

syntax is tunnel-group name type type, where name is the name you assign to the tunnel group, and type 
is the type of tunnel. The tunnel types as you enter them in the CLI include the following: 

• ipsec-ra (IPSec remote access) 

• ipsec-121 (IPSec LAN to LAN) 

In the following example the name of the tunnel group is testgroup. 

hostname (config) # tunnel-group testgroup type ipsec-ra 

hostname (config) # 

Step 2 To configure an authentication method for the tunnel group, enter the general-attributes mode and then 
enter the address-pool command to create the address pool. In the following example the name of the 
group is testgroup and the name of the address pool is testpool. 

hostname (config) # tunnel-group testgroup general -attributes 
hostname (conf ig-general) # address-pool testpool 
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Step 3 To configure the authentication method, enter the ipsec-attributes mode and then enter the 

pre-shared-key command to create the preshared key. You need to use the same preshared key on both 
the security appliance and the client. 

X 

Note The preshared key must be no larger than that used by the VPN client. If a Cisco VPN Client with a 
different preshared key size tries to connect to a security appliance, the client logs an error message 
indicating it failed to authenticate the peer. 

The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is 
44kkaol59636jnfx. 

hostname (config) # tunnel-group testgroup ipsec-attributes 
hostname (conf ig-ipsec) # pre-shared-key 44kkaol59636 jnfx 

Step 4 Save your changes. 

hostname (conf ig) # write memory- 
hostname (config) # 



Creating a Dynamic Crypto Map 



The security appliance uses dynamic crypto maps to define a policy template where all the parameters 
do not have to be configured. These dynamic crypto maps let the security appliance receive connections 
from peers that have unknown IP addresses. Remote access clients fall in this category. 

Dynamic crypto map entries identify the transform set for the connection. You also enable reverse 
routing, which lets the security appliance learn routing information for connected clients, and advertise 
it via RIP or OSPF. 

Step 1 To specify a transform set for a dynamic crypto map entry, enter the crypto dynamic-map set 
transform-set command. 

The syntax is crypto dynamic -map dynamic -map -name seq-num set transform-set 

transform-set-name. In the following example the name of the dynamic map is dynl, the sequence 
number is 1, and the transform set name is FirstSet. 

hostname (conf ig) # crypto dynamic-map dynl 1 set transform-set FirstSet 

hostname (config) # 



Step 2 



To enable RRI for any connection based on this crypto map entry, enter the crypto dynamic-map set 
reverse route command. 



hostname (conf ig) # crypto dynamic-map dynl 1 set reverse-route 

hostname (config) # 

Step 3 Save your changes. 

hostname (conf ig) # write memory 

hostname (config) # 
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Creating a Crypto Map Entry to Use the Dynamic Crypto Map 

Next create a crypto map entry that lets the security appliance use the dynamic crypto map to set the 
parameters of IPSec security associations. 

In the following examples for this command, the name of the crypto map is mymap, the sequence number 
is 1, and the name of the dynamic crypto map is dynl, which you created in the previous section, 
"Creating a Dynamic Crypto Map." Enter these commands in global configuration mode. 

Step 1 To create a crypto map entry that uses a dynamic crypto map, enter the crypto map command. The 
syntax is crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name. 

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dynl 

hostname (conf ig) # 

Step 2 To apply the crypto map to the outside interface, enter the crypto map interface command. 
The syntax is crypto map map-name interface interface-name 

hostname (conf ig) # crypto map mymap interface outside 

hostname (conf ig) # 
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